Sequel Sequel


By: smashmaster

Tags: Misc ImaginaryCTF-2022

Problem Description:

I stored my flag in my SQL server, but since I followed best practices, there's no way that you can get it! `ssh [email protected] -p 42022` with password `p4ssw0rd10`


Reveal Hints Broaden your minds! Read the extensionless.

Ok so let’s sftp! In ubuntu the sftp is integerated into nautilus (file manager), so I can just view it like any other directory on my system. we see three files We have 3 files. It appears we have a mysql database with the flag in it, with a log in we know. Here are the contents of setup.sqland mysql.cnf

CREATE USER 'ethan'@'' IDENTIFIED BY 'p4ssw0rd10';
USE ictf;
CREATE TABLE ictf (flag varchar(255));
INSERT INTO ictf (flag) VALUES ('ictf{REDACTED}');
GRANT SELECT ON ictf.ictf TO 'ethan'@''

And here’s setup mysql.cnf.

# Copyright (c) 2014, 2021, Oracle and/or its affiliates.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2.0,
# as published by the Free Software Foundation.
# This program is also distributed with certain software (including
# but not limited to OpenSSL) that is licensed under separate terms,
# as designated in a particular file or component or in included license
# documentation.  The authors of MySQL hereby grant you an additional
# permission to link the program and your derivative works with the
# separately licensed software that they have included with MySQL.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License, version 2.0, for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA

# The MySQL  Server configuration file.
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
#log-error      = /var/log/mysql/error.log
# By default we only accept connections from localhost
bind-address   =
# Disabling symbolic-links is recommended to prevent assorted security risks

Oof we can’t directly connect, so we’ll need to have service running on the machine connect to it for us! The other thing besides mysql stuff in the openssh configuration. Let’s take a look at our last config file which tells us about the ssh we just connected to.

PermitRootLogin no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
Subsystem sftp internal-sftp
AllowUsers ethan
Match user ethan
     ChrootDirectory /ftp
     X11Forwarding no
     ForceCommand internal-sftp

Hmm x11 forwarding is off, but we can conjecture that normal port forwarding is on. Let’s test this out! But wait, we still need to get around another challenge. Even if we request a port forward, our connection is instantly terminated.

How can we get around that? My research came to the hacktricks site on tunneling and port forwarding. It turns out we need the -N to not open a shell which kills our connection. According to the manpages.

-N Do not execute a remote command. This is useful for just forwarding ports. So we just add -N and yay it doesn’t get killed!

Conclusion: Remeber that ssh is a complex protocol. Unlike telnet it does more than spawn a psuedo-terminal for the user. It can also

  • tcp tunnel ports in both directions
  • transfer files (we call this sftp)
  • x11 forwarding allows gui programs on the server to run on the client’s x server.

You can find probaly more features by opening a gui ssh client like putty.